0

I would like to use authentication form on every page (in the header of the page), so user could authenticated from any page. I'm using Tomcat's FORM based authentication, but when i go to my index page, and try to login using the form in the header, I get:

HTTP 400 - Invalid Direct Reference To Login Page

Is there any workaround I could use, some settings in web.xml maybe, to solve this problem?

Edit: Here is the header's login form:

<form method="post" action="j_security_check">
     <input type="text" name="j_username" class="login"/>
     <input type="password" name="j_password" class="login"/>
     <input type="submit" value="Login"/>
</form>
Igor
  • 1,406
  • 2
  • 23
  • 45
  • Can you show how are you displaying form in your header (JSP code)? – craftsman May 28 '11 at 17:02
  • @craftsman I've edited the question with login form. – Igor May 28 '11 at 17:25
  • If you happen to use Tomcat 7 (with Java 6 und Servlet 3.0), then you now have the option to use programmatic login to achieve what you essentially try to do (see http://download.oracle.com/javaee/6/tutorial/doc/gjiie.html). – Codo Aug 05 '11 at 19:09

2 Answers2

0

Are you stated your login screen as "welcome" ? In case of success login it tries to loop you through login page again. What is welcome-page tag in your web.xml ?

acm0x
  • 775
  • 6
  • 14
  • Hi Alex! I haven't set **welcome-file** in my app, so default are used. But, I'm accessing my application with direct url e.g. http://localhost:8080/my-app/home.jsp... On my home page (and every other page), in the header I have a login form. – Igor May 28 '11 at 16:10
0

The concept of Tomcat's form based authentication is that it intercepts unauthenticated requests to protected pages and internally redirects to a separate login page. It also saves the original page request. Once the user has successfully logged in, the original page request is replayed and the protected page is displayed.

What you are trying to achieve is - as far as I can derive from your short description - something different. Basically, all your pages are public. Optionally, a user can log in and will then get personalized pages.

Tomcat won't help you implementing this. When you use the j_security_check action, it will be unable to do anything because it never intercepted a request in the first place.

Instead, it's probably easier to check the username and password yourself if the login form is submitted. If they are okay, just put the username into your session data. An authenticated session can easily be recognized as it contains the username in the session data.

There is probably even a way to reuse the Tomcat realms that are e.g. able to check username and password against a database. But I don't know for sure.

Codo
  • 75,595
  • 17
  • 168
  • 206
  • Thanx for useful info! As you mentioned, it appears it's not possible to put login on every page using **j_security_check**. Maybe using filters could help, but for now I'm sticking with BASIC authentication, which provided enough for me at the moment. – Igor Jun 02 '11 at 13:28